A piece of comment on the ICO's decision to fine Sony plopped into my inbox today. According to Vanessa Barnett, technology and media partner at law firm Charless Russell, the ICO's decision shows "that our regulator has some teeth - well, little ones!"
I don't think it shows anything of the kind. I think it makes the ICO look utterly toothless and gummy, sucking on a pickled egg and staring at its shoes, terrified of making eye contact with a genuine challenge from the private sector.
Last year, the ICO fined Brighton and Sussex NHS £325,000 for accidentally putting some old hard drives, full of patient records, on eBay.
Catastrophically stupid of that Trust, and perhaps this fine wasn't quite enough. Still, there was a good counter-argument to say that fining the NHS too much would be counter-productive to the point of not only shaming the Trust in the media (as it did and continues to do), but also taking so much of its money away that it would start to adversely affect patient care. Fair enough.
But what about Sony? Throughout the 2011 DDoS attack and customer data breach on its PlayStation 3 PSN service (or breaches - Sony was so comedically badly organised it happened at least twice), 25 million user details were apparently stolen, millions of paid service contracts were suspended indefinitely, and Sony's only public-facing reaction was first to say absolutely nothing to anybody about the breach for six whole days, and then to consistently deny its seriousness and get cagey about exactly what had been breached, how and why.
2.2 million customer credit card details allegedly went up for sale on an underground internet forum, and Sony employees even admitted to a US government body that the company's security software was out of date. The only payout affected customers ever got was a few free games; a weak apology, and an absolute insult to the world at large, who may not think a free go on Wipeout HD makes up for the theft of their identity.
If I was getting incredibly lefty on this one, I'd even argue that Sony brought the ire of Anonymous and co upon itself anyway. Its treatment of kiddie hacker George Hotz and his 2010 PS3 firmware hack, the resulting Sony legal action against whom was questionable at best (settled out of court, natch), seemed unwisely harsh. Hotz - who also pioneered some iOS tinkering - went on to work for Facebook, so was clearly of use to the industry at large, and could have been dealt with educationally and creatively rather than bluntly criminalised. We've all seen Catch Me If You Can, right? Far be it from me to suggest anybody should kowtow to the whims of hacker groups, but it's about knowing your audience. Especially if they're teenage nerds...
The ICO has stated that it wishes to focus more on watching (and, presumably, fining) the public sector, as it believes the private sector is leading the way on data compliance. Walls of silence, outdated software and a general bewilderment about what was happening to it marks out Sony at least as far from leading the way (except absolutely down the toilet). I can't for the life of me see why Sony gets off with a pathetic fine like this one. Does multinational technology empire Sony have better lawyers than Brighton and Sussex NHS, perhaps?
And now the tech giant has announced it is to contest the fine, stating that there was "no evidence that encrypted payment card details were accessed" and, even more unbelievably, that "personal data is unlikely to have been used for fraudulent purposes". Is it possible to contest a fine simply because you believe your failure might have had no effect?
Will the ICO fight the good fight for even this pittance from Sony, or will it give up and keep simply shifting money around the public sector as usual? The answer feels sadly inevitable.